first draft

attack/content.aux

@@ -0,0 +1,48 @@
+\relax 
+\providecommand\hyper@newdestlabel[2]{}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}}
+\@setckpt{content}{
+\setcounter{page}{11}
+\setcounter{equation}{0}
+\setcounter{enumi}{0}
+\setcounter{enumii}{0}
+\setcounter{enumiii}{0}
+\setcounter{enumiv}{0}
+\setcounter{footnote}{0}
+\setcounter{mpfootnote}{0}
+\setcounter{beamerpauses}{1}
+\setcounter{bookmark@seq@number}{0}
+\setcounter{lecture}{0}
+\setcounter{part}{0}
+\setcounter{section}{0}
+\setcounter{subsection}{0}
+\setcounter{subsubsection}{0}
+\setcounter{subsectionslide}{10}
+\setcounter{framenumber}{9}
+\setcounter{figure}{0}
+\setcounter{table}{0}
+\setcounter{parentequation}{0}
+\setcounter{theorem}{0}
+\setcounter{lstnumber}{1}
+\setcounter{section@level}{0}
+\setcounter{lstlisting}{0}
+}

attack/content.tex

@@ -0,0 +1,94 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+  \frametitle{What changed since the last workshop?}
+  \begin{itemize}
+    \item ATT\&CK has been steadily on the rise
+    \item We have observerd it becoming a {\bf baseline for contextualisation} in several communities
+    \item Relatively {\bf simple} to understand
+    \item Makes the {\bf ingestion} of data based on context much easier
+    \item Its use boosts {\bf analytical use-cases} (risk assessment, threat intelligence)
+    \item This made us think about how we could further capitalise on its success
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{New ATT\&CK sighting reporting format}
+  \begin{itemize}
+    \item Result of discussions with Mitre
+    \item MISP server hosts can now decide to export an {\bf enumeration of the patterns} used based on the data-set
+    \item Subject to all regular {\bf restSearch filtering methods} (time, organisation, context, etc)
+    \item Export returns the data-set in Mitre's owns {\bf ATT\&CK sighting format}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Searching our data-set for ATT\&CK-like matrix heatmaps}
+  \begin{itemize}
+    \item new standard {\bf restSearch return format}
+    \item Returns {\bf HTML navigator-like heatmap}
+    \item Easy integration into existing web applications
+    \item Make use of all the MISP API filtering options
+    \item Interested in how the rest of your {\bf sector} shapes up?
+    \item Or perhaps different {\bf time} frames?
+    \item Why not both and {\bf compare} them?
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Searching our data-set for ATT\&CK-like matrix heatmaps}
+  \begin{itemize}
+    \item The full dataset for a given time in an instance
+  \end{itemize}
+  \includegraphics[scale=0.18]{matrix.png}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Searching our data-set for ATT\&CK-like matrix heatmaps}
+  \begin{itemize}
+    \item The full dataset for a given time in an instance
+  \end{itemize}
+  \includegraphics[scale=0.18]{matrix2.png}
+\end{frame}
+
+\begin{frame}
+  \frametitle{ATT\&CK matrices as a standardised methodology}
+  \begin{itemize}
+    \item The advent of ATT\&CK had a secondary effect that was somewhat anticipated
+    \item {\bf Francesco Bigarella} from ING showcased {\bf attack4fraud}
+    \begin{itemize}
+      \item {\bf ATT\&CK like matrix}
+      \item Makes use of kill-chain phases 
+      \item Enables all of the advantages provided by the framework (such as technique frequency analysis)
+    \end{itemize}
+    \item This inspired us to allow for other matrix-like galaxies to be added
+  \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+  \frametitle{ATT\&CK matrices as a standardised methodology outcomes}
+  \begin{itemize}
+    \item Several ATT\&CK like matrices added since
+    \begin{itemize}
+      \item {\bf Election guidelines}
+      \item {\bf Office 365 exchange techniques}
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Election guidelines}
+  \includegraphics[scale=0.3]{election.png}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Office 365 techniques}
+  \includegraphics[scale=0.3]{office.png}
+\end{frame}
+

attack/slide.aux

@@ -0,0 +1,27 @@
+\relax 
+\providecommand\hyper@newdestlabel[2]{}
+\providecommand\BKM@entry[2]{}
+\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
+\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
+\global\let\oldcontentsline\contentsline
+\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
+\global\let\oldnewlabel\newlabel
+\gdef\newlabel#1#2{\newlabelxx{#1}#2}
+\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
+\AtEndDocument{\ifx\hyper@anchor\@undefined
+\let\contentsline\oldcontentsline
+\let\newlabel\oldnewlabel
+\fi}
+\fi}
+\global\let\hyper@last\relax 
+\gdef\HyperFirstAtBeginDocument#1{#1}
+\providecommand\HyField@AuxAddToFields[1]{}
+\providecommand\HyField@AuxAddToCoFields[2]{}
+\@input{content.aux}
+\providecommand \oddpage@label [2]{}
+\pgfsyspdfmark {pgfid1}{1398509}{16987808}
+\@writefile{nav}{\headcommand {\beamer@partpages {1}{10}}}
+\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{10}}}
+\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{10}}}
+\@writefile{nav}{\headcommand {\beamer@documentpages {10}}}
+\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {9}}}

attack/slide.nav

@@ -0,0 +1,25 @@
+\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
+\headcommand {\beamer@framepages {1}{1}}
+\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
+\headcommand {\beamer@framepages {2}{2}}
+\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
+\headcommand {\beamer@framepages {3}{3}}
+\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
+\headcommand {\beamer@framepages {4}{4}}
+\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
+\headcommand {\beamer@framepages {5}{5}}
+\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
+\headcommand {\beamer@framepages {6}{6}}
+\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}
+\headcommand {\beamer@framepages {7}{7}}
+\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}
+\headcommand {\beamer@framepages {8}{8}}
+\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}
+\headcommand {\beamer@framepages {9}{9}}
+\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}
+\headcommand {\beamer@framepages {10}{10}}
+\headcommand {\beamer@partpages {1}{10}}
+\headcommand {\beamer@subsectionpages {1}{10}}
+\headcommand {\beamer@sectionpages {1}{10}}
+\headcommand {\beamer@documentpages {10}}
+\headcommand {\gdef \inserttotalframenumber {9}}

attack/slide.tex

@@ -0,0 +1,25 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+\author{\small{\input{../includes/authors.txt}}}
+\title{Turning data into actionable intelligence}
+\subtitle{advanced features in MISP supporting your analysts and tools}
+\institute{\includegraphics[scale=0.5]{misplogo.pdf}}
+\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
+
+\date{\input{../includes/location.txt}}
+\begin{document}
+\include{content}
+\end{document}
+